Blog Data Security

A User Always Finds a Way: The Federal Security Dilemma

Our experts share how the road to data loss is usually paved with good intentions, and strategies for federal agencies to combat unintended mistakes.
Trevor Douglas
3 min read
Last updated June 11, 2025
Federal Cybersecurity

Contents

    The stakes are high in federal government and contracting environments.

    Sensitive data like Controlled Unclassified Information (CUI), export-controlled data, and classified material are tightly governed by policies like DFARS, NIST 800-171, and CMMC.

    Despite this, every day, well-meaning users sidestep security policies to complete mission-critical work. These users are not malicious. They are mission-focused. But when the system gets in the way of the mission, a user always finds a way. 

    Real workarounds that put data at risk 

    Let's look at an example of a DLP policy that may block a spreadsheet from being shared in Gmail. In the federal space, that spreadsheet might contain CUI or contractor bid data subject to audit, breach reporting, and potential legal liability. 

    However, a user attempts to email a subcontractor with a compliance matrix for a proposal. A DLP policy flags the email due to key phrases associated with export controls.

    Instead of escalating or reporting the issue, the user: 

    • Screenshots the file 
    • Sends it from a personal Gmail account 
    • Or uploads it to a non-compliant cloud platform 

    The intent? Keep the project moving. 
    The result? A potential CUI spill, ITAR violation, or breach of DFARS 252.204-7012. 

    Labeling fatigue in CUI environments 

    Manual labeling systems prompt users to mark every file with a sensitivity label. In theory, this should ensure that data is handled according to classification rules. But in practice: 

    • Users can default to "Unclassified" or "Public" to bypass enforcement 
    • Labels can be applied inconsistently or incorrectly 
    • Files could be spread across shared drives or unmanaged devices 

    This erodes the value of security controls and breaks audit trails needed for CMMC certification. 

    Why users bypass security in federal workflows 

    As mentioned previously, the intent behind bypassing security measures isn't always malicious. A few reasons security gets bypassed include:

    • Mission always comes first: Federal teams operate under tight timelines, grants, procurements, proposal deadlines, and real-world consequences. 
    • Overreaching policies: Broad or poorly tuned DLP rules can block legitimate work, creating daily friction. 
    • Lack of awareness: Even with training, many users don’t fully grasp the sensitivity of data they’re handling. 
    • Shadow IT culture: When official systems are slow or too restrictive, users turn to personal accounts, thumb drives, or consumer tools. 

    Security isn’t just a technical issue. It’s a human behavior issue, especially in high-pressure, high-stakes environments. 

    Get started with our world-famous Data Risk Assessment.
    Get your assessment
    inline-cp

    How to improve security without hindering the mission

    Here are steps security teams can take to keep security best practices consistent and strong, without interrupting daily operations. 

    Automate classification at the source

    Don’t rely on users to label CUI or ITAR data correctly. AI-powered tools can scan documents, understand context (contracts, program names, technical specs), and apply consistent labels without relying on human judgment.

    Tune DLP policies to avoid collateral damage

    Overly aggressive DLP settings that flag everything slow down users and invite workarounds. Refine policies using actual content patterns, past incidents, and role-specific context. Precision beats paranoia. 

    Use behavior analytics to spot risky workarounds

    Track user behavior, not just content. Did a user who normally works 9–5 suddenly upload 10GB of data at 2 a.m.? Are files being renamed or zipped to avoid detection? These are signals of risky patterns, not just policy violations. 

    Build security into productivity tools

    If collaboration platforms are hard to use or restrict access by default, users will seek alternatives. Enable secure sharing tools with built-in auditing, labeling, and encryption so the path of least resistance is also the safest. 

    Security isn’t about control — it's about context 

    In government environments, we often think of compliance as a checklist. But that usually misses the point. A security policy that isn’t aligned with how people actually work is just a suggestion, and one that users will bypass if it prevents them from delivering results. 

    The future of secure federal contracting doesn’t rely on blocking users. 

    It relies on understanding them, predicting their behaviors, and automating protection in the background. 

    Stop relying on users to get security right 

    When the mission is on the line, a user will always find a way around the process, past the policy, through the cracks. Not because they want to break the rules, but because they need to get the job done. 

    To protect sensitive federal data: 

    • Tune policies to real-world use 
    • Monitor behaviors, not just documents 
    • Empower mission delivery without compromising security 

    At Varonis, our challenge isn’t stopping them — it’s securing the shortcuts they would’ve taken. 

    Interested in learning more? See how we can help you improve your security and speak with our Varonis Federal Team today. 

    What should I do now?

    Below are three ways you can continue your journey to reduce data risk at your company:

    1

    Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

    2

    See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

    3

    Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

    Trevor Douglas
    Trevor Douglas As a Senior Federal Sales Engineer at Varonis, Trevor helps government organizations protect their most sensitive data from cyber threats, insider risks, and compliance violations. With over ten years of experience in the industry and a CompTIA Security+ certification, he has the technical skills and knowledge to demonstrate the value and benefits of Varonis' data security platform to federal customers and prospects. Prior to joining Varonis, Trevor served as an Intelligence Surveillance Reconnaissance Systems Engineer in the United States Marine Corps for five years, where he developed and maintained various intelligence systems and networks in support of military operations and missions. He also holds a Bachelor's degree in Political Science and Government from Merrimack College.

    Try Varonis free.

    Get a detailed data risk report based on your company’s data.
    Deploys in minutes.
    Get started View sample

    Keep reading

    Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

    is-dspm-in-the-cloud-any-different?
    Is DSPM in the Cloud any different?
    is-dspm-in-the-cloud-any-different?
    Daniel Miller
    June 6, 2025
    Explore how DSPM evolves in the cloud—real-time visibility, automation, and compliance across dynamic, multicloud environments.
    when-ransomware-wreaks-havoc-on-hospitals
    When Ransomware Wreaks Havoc on Hospitals
    when-ransomware-wreaks-havoc-on-hospitals
    Megan Garza
    June 4, 2025
    Dayton Children's Hospital CIO J.D. Whitlock shares insights on cybersecurity in healthcare, including managing ransomware threats.
    why-data-security-starts-with-what-you-can’t-see
    Why Data Security Starts With What You Can’t See
    why-data-security-starts-with-what-you-can’t-see
    Jonathan Villa
    June 4, 2025
    Discover the most overlooked gaps in data security strategies and how to close them with automation, visibility, and unified protection across platforms.